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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 


Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
Our privacy notice 


Q1 Is the draft code clear and easy to understand? 


x 


Yes 
No 


If no please explain why and how we could improve this: 


Overall, the draft Code is a helpful document. It is well written and clearly set out with lots of cross- 
references, making it easily accessible. However there are areas which lack clarity and would benefit 
from greater detail, which are set out in response to Q2 below. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


x 


Yes 
No 


If no please explain what changes or improvements you would like to 


see? 


There are various parts of the Code where we would like greater detail and further examples: 


Marketing Communication/service communication p.19-20 


We would ask for greater clarification on the distinction between a ‘marketing communication’ 
and a ‘service communication’. The approach in the Code is not very clear and somewhat 
inconsistent. 


The Code states: ‘In order to determine whether a communication is a service message or a 
direct marketing message, a key factor is likely to be the phrasing, tone and context.’ It then 
goes on to explain: ‘If a message is actively promoting or encouraging an individual to make 
use of a particular service, special offer, or upgrade for example, then it is likely to be direct 
marketing. However if the message has a neutral tone and simply informs the individual for 
example of a benefit on their account then these are more likely to be viewed as a service 
message. 


The tone and whether it is ‘neutral’ seems to be of particular relevance, yet in the same 
passage, the Code then states: ‘However, it is important to understand that you cannot avoid 
the direct marketing rules by simply using a neutral tone.’ It goes on to make the example of a 
message from a supermarket chain sent to an individual saying ‘Your local supermarket stocks 
carrots’ and indicates that this is clearly still promotional despite the use of a neutral tone. 


The extent to which tone is relevant and how firms can rely on a neutral tone is unclear. Greater 
clarity on this point with some additional examples would be helpful. 


On p.20, the Code sets out an example of a mobile network provider text message advising 
customers that they are reaching their monthly limit. If the message also encourages customers 
to take up a special offer to buy more data, then it constitutes direct marketing. 

Most customers would expect to have an easy link or information on buying more data if they 
were approaching their limit and arguably would regard this as a service message. A clearer 
example would be helpful to confirm that a message containing information how to buy more 
data would still be a service message. 


Public Sector Communications p.23 


The Code makes the example of a GP sending text messages to patients: 

‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 
12345678 to make an appointment.’ 

The Code states this is more likely to be considered to be direct marketing because it does not 
relate to the patient’s specific care but rather to a general service that is available. We are of 
the view that most individuals would not regard as direct marketing the type of message in this 
example in the Code i.e. information messages from GPs about how to obtain a flu vaccination. 
Could this point be clarified? 


Do we need to complete a DPIA? p.28 


The Code sets out a list of processing operations where a DPIA is required as these are ‘likely 
to result in high risk’. Many of these operations that require a DPIA are relevant to the direct 
marketing context: 
e data matching e.g. for direct marketing 
e invisible processing e.g. list brokering, online tracking by third parties, online advertising, 
re-use of publicly available data. 


Article 35(3)(a) states a DPIA is required where there is a systematic and extensive evaluation 
of personal aspects of a natural person based on automated processing including profiling and 
on which decisions are made that produce legal effects concerning the natural person. The 
Code does not accurately reflect the dual requirement of decisions that produce legal effects 
on natural persons. 


Legitimate interest p.34-36 
To properly rely on legitimate interest, organisations need to undertake a careful balancing 


exercise (a ‘legitimate interests assessment’) to ensure that the rights of the individual do 
not override the aims pursued by the organisation. The Code makes clear that, central to 
such assessment, is whether people would expect the use of their data in this way. If the 
ICO means that the use must be in the reasonable expectations of the individual, then 
greater detail and examples of what amounts to reasonable expectations would be helpful. 


Profiling p.58 

The Code states: ‘It is unlikely that you will be able to apply legitimate interests for intrusive 
profiling for direct marketing purposes. This type of profiling is not generally in an 
individual’s reasonable expectations and is rarely transparent enough.’ It is unclear what 
the ICO considers ‘intrusive’ profiling to be, especially since this term is not defined in the 
legislation. It would be more helpful to provide advice and objective criteria on how to 
conduct a LIA and a balancing test. 


At page 58, the Code goes on to say ‘Remember, if you want to engage in ‘large-scale 
profiling’ or ‘wealth profiling’ you are required to complete a DPIA before you start 
processing.’ Setting this out as an absolute requirement goes further than Article 35. 
Requiring this level of documentation and analysis for the wider types of direct marketing 
suggested by the ICO is excessive and risks producing a counter-productive, box-ticking 
culture. 


Incentivisation of consent p.33 
The Code states: ‘You should not coerce or unduly incentivise people to consent to direct 


marketing. However in the marketing context there is usually some inherent benefit to 
individuals if they consent to marketing, eg discounted products or access to special offers. 
But you must be careful not to cross the line and unfairly penalise those who refuse consent 
to your direct marketing.’ We would appreciate more guidance and examples of what the 


red lines are and more advice to understand what the threshold is to distinguish incentives 
from unfairly penalising those who refuse consent. 


Refresh of consent p.42 
Greater clarification and detail on what is a reasonable timeframe to refresh consent where 


it has been collected directly would also be useful. If a firm continues to market, provides 
an unsubscribe each time, a client managed preference centre and has received no 
negative comments, what timeframe would the ICO deem reasonable then to refresh 
consent? 


What do we need to tell people if we collect their data from other sources? P.48-49 
Article 14(3) states you must provide privacy information to individuals at the earlier of: 


e one month from date of collection 
when the data is used for communications with the individuals; and 
when the data is shared with other parties. 


At page 49, the Code states ‘you are unlikely to be able to rely on disproportionate effort 
in situations where you are collecting personal data from various sources to build an 
extensive profile of an individual’s interests and characteristics for direct marketing 
purposes...If you do not actively tell people about your processing it results in ‘invisible 
processing’.’ This statement lacks clarity and may lead to ambiguity. It would be more 
helpful if the ICO provided objective criteria to consider the application of Article 14, 
including objective criteria as to when the exemptions to Article 14 may apply. 


It was not anticipated that a statutory code of practice would introduce terms, such as 
‘invisible processing’ on page 50, which are not defined in legislation. 


What do we need to consider when buying or renting direct marketing lists? p.52 
In the section on records of the consent, one of the questions is ‘were you named?’ 


Requirement for end user brands to be named at point of collection of data would make it 
very difficult to aggregate any sizeable volumes of data. Some SME brands may not be 
recognised by individuals and therefore there is an argument that description of industry 
sectors is more informative and transparent. 


Can we match or append data? p.60 

The Code states ‘In most instances, buying additional contact details for your existing 
customers or supporters is likely to be unfair, unless the individual has expressly agreed. 
This is because it removes people’s choice about what channels you can contact them on 
for direct marketing purposes’. 

We believe there should be a distinction whether the purpose for matched/appended data is 
direct marketing or service messages. We would like additional guidance and examples to 
clarify whether additional contact details used solely for service messages, would still need 
the individual’s explicit consent, or whether the business selling the product/service could 
rely on legitimate interest. 


Can we use data cleansing and tracing services? p.61 

The Code states ‘Tracing an individual for direct marketing purposes takes away control from 
people to be able to choose not to tell you their new details. Your commercial interests in 
continuing to market them do not outweigh this. Therefore you are unlikely to be able to 
justify this processing under legitimate interests.’ 

We would like further guidance and examples to clarify the due diligence companies should 
carry out to confirm what purposes their clients use data for, e.g. service messages only, or 
mixture of service messages and direct marketing. 


Q3 Does the draft code cover the right issues about direct marketing? 


Yes 
X No 


If no please outline what additional areas you would like to see 
covered: 


Overall, we believe that the Code covers the right issues about direct marketing, however there are 
various points where we believe the Code goes beyond its remit. 


The Code includes good practice recommendations around consent: at p.31 the draft states: ’Get 
consent for all your direct marketing regardless of whether PECR requires it or not.’ 


However, Recital 47 of GDPR states: ‘The processing of personal data for direct marketing 
purposes may be regarded as carried out for a legitimate interest.’ 


The Code seems to lean heavily towards consent. We are of the view that the Code should explain 
what the law is and provide recommendations on how to comply with the law not make 
recommendations of this nature, when relying on legitimate interest may be a valid position to take. 


The emphasis in the draft Code on consent differs from the ICO’s blog on 16/08/2017 that consent is 
not the silver bullet and all 6 lawful bases are equal. Rather than statements of good practice it would 
be helpful for the ICO to provide more information on what to include in a DPIA and how to carry out 
a good LIA and balancing test. National GDPR interpretations must not obstruct the fundamental 
freedom of movement of goods and services. Insisting on consent as the only legal ground for 
marketing is not supported by the wording of GDPR. 


The Code contains a further good practice recommendation at p.42 stating: 


‘When sending direct marketing to new customers on the basis of consent collected by a third party 
we recommend that you do not rely on consent that was given more than six months ago’. This means 
that processes will need to be in place to periodically refresh such consents. The six month period is 
not required by law (no period for consent refresh is required under GDPR). Six months is an unduly 
short period of time for this and might be a particularly onerous compliance requirement, especially as 
there may be many legitimate reasons why contact may be delayed. In addition, asking individuals to 
refresh consent every 6 months could be more irritating and intrusive than the actual marketing 
communications. 

It is also not clear whether the 6 month period is for all marketing e.g. postal as well as telephone? 
This is much tighter than current DMA guidance which recommends standard of lifetime of consent: 


e for 3 party data, 6 months for telephone and 24 months for postal 
e for all 1S‘ party data, maximum time consent can remain valid is 24 months 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


X Yes 


No 


If no please outline what additional areas you would like to see covered 


Q5 Isit easy to find information in the draft code? 


X Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


Yes 


x No 


If yes, please provide your direct marketing examples : 


Q7 Do you have any other suggestions for the direct marketing code? 
We like the plain English style and think that overall it is very well written and clear. We like the links and 
cross-references which make it an easy document to navigate. 


Greater clarity and detail on the points mentioned above with some additional worked examples would 
be very useful. 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Personal Investment and Financial Advice Association (PIMFA) 


If other please specify: 


Q9 How did you find out about this survey? 


L] ICO Twitter account 
[}] ICO Facebook account 
@ ICO LinkedIn account 
X ICO website 

X ICO newsletter 

O ICO staff member 

X Colleague 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


EEE, 


Thank you for taking the time to complete the survey 


